A new Flexera Community experience is coming on November 25th. Click here for more information.
System information:
------------
We are looking for colleagues who already have experience with the connection of SAML to Analytics for authentication, since we are unfortunately not successful with the documents from the documentation.
For SAML and FNMS the documentation is very good and the configuration is comprehensible. For the setup of SAML in connection with Cognos Analytics, there is unfortunately only a hint that you select the SAML Authenticaton in the "Flexera Report Designer Package Import Utility" and update the configuration.
Unfortunately we lack transparency what is happening in the background now?
When setting up FNMS and SAML, an XML had to be exchanged with the IDP and the corresponding configuration had to be done in webui.config (kento.auth) - all this does not seem to be necessary with Analytics - but how should Cognos then communicate with the SAML IDP?
Thanks for your support and greetings,
Dennis
‎Jun 07, 2021 03:05 AM
Enclosed is an update and a note to adjust the Flexera documentation if necessary. As described in the documentation, it is recommended to take over the FNMS SAML settings from the web.config 1:1 ("Edit the web.config file using the same values noted in step 2 and 4 above.") . Unfortunately, according to our current experience, this is not quite correct. For each web application a separate IDP identityID must be requested, for this reason the simple transfer of the data leads to an error.
Requesting a new entityID for the IDP and updating the config , solved the issue
If your implementation uses Flexera Analytics, configure the separate web.config file for your Flexera Analytics server.
Flexera Analytics is visible by navigating to Reports > Analytics. If this is present:
- Switch to your Cognos server.
- Flexera Analytics (Cognos) is likely to reside on a separate server. For SAML-based single sign-on to work, the Cognos server and web application server must be in the same domain.
- In your flat text editor, open the local web.config file for the Cognos server.
- The default location (on Windows) is <drive>:\Program Files\ibm\cognos\analytics\cgi-bin.
- Edit the web.config file using the same values noted in step 2 and 4 above.
@kent-au, @WheresThePizza or @ChrisG : Can you confirm this and do you think a change in the wording of the documentation is appropriate?
‎Sep 13, 2021 07:17 AM - edited ‎Sep 13, 2021 07:18 AM
Hi,
we have made small progress, but continue to have problems with SAML authentication. As described in the FNMS documentation on Analytics and SAML, we have copied the corresponding configurations of FNMS SAML into the web.config of Analytics.
When the Analytics Server is called, communication with the IDP also begins and an initial request for access data (PKI) is made. We have recorded the communication with a SAML tracer and found an error here, including a error message from the IDP (IBM F5)
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id9a3d3ee252d74447b32d7562e73fe***"
Version="2.0"
IssueInstant="2021-09-05T21:11:44Z"
Destination="https://idp-url/isam/sps/idpextqs/saml20/login"
AssertionConsumerServiceURL="https://analytics-url/ibmcognos/sso/AuthServices/Acs">
<saml2:Issuer>https://fnms-url/Suite</saml2:Issuer>
</saml2p:AuthnRequest>
If I have seen it correctly in IIS, Cognos itself does not provide an Authentication ACS endpoint to match information regarding the login, for that the FNMS ACS should be used. Attached is the <kentor.authServices> snippet from Cognos web.config
<kentor.authServices
entityId="https://fnms-url/Suite"
returnUrl="https://fnms-url/Suite/AuthServices"
authenticateRequestSigningBehavior="Never"
minIncomingSigningAlgorithm="sha1">
<identityProviders>
<add entityId="https://idp-url/isam/sps/idpextqs/saml20"
signOnUrl="https://idp-url/isam/sps/idpextqs/saml20/login"
allowUnsolicitedAuthnResponse="true"
binding="HttpPost"
loadMetadata="true"
metadataLocation="C:\Program Files\ibm\cognos\idpextqs_metadata.xml">
</add>
</identityProviders>
<serviceCertificates>
</serviceCertificates>
</kentor.authServices>
Do any of you have a hint on how to get Cognos to use the correct Autnetication ACS endpoint. I'm also looking for a way to activate debuggin for Cognos SAML as it is possible for the FNMS weui.log (Maybe @kent-au or @fnishikado @fnishikado1 )
FNMS in combination with SAML2 and the IDP Works without problems.
Thanks and Best, Dennis
‎Sep 06, 2021 03:12 AM - edited ‎Sep 06, 2021 03:14 AM
Enclosed is an update and a note to adjust the Flexera documentation if necessary. As described in the documentation, it is recommended to take over the FNMS SAML settings from the web.config 1:1 ("Edit the web.config file using the same values noted in step 2 and 4 above.") . Unfortunately, according to our current experience, this is not quite correct. For each web application a separate IDP identityID must be requested, for this reason the simple transfer of the data leads to an error.
Requesting a new entityID for the IDP and updating the config , solved the issue
If your implementation uses Flexera Analytics, configure the separate web.config file for your Flexera Analytics server.
Flexera Analytics is visible by navigating to Reports > Analytics. If this is present:
- Switch to your Cognos server.
- Flexera Analytics (Cognos) is likely to reside on a separate server. For SAML-based single sign-on to work, the Cognos server and web application server must be in the same domain.
- In your flat text editor, open the local web.config file for the Cognos server.
- The default location (on Windows) is <drive>:\Program Files\ibm\cognos\analytics\cgi-bin.
- Edit the web.config file using the same values noted in step 2 and 4 above.
@kent-au, @WheresThePizza or @ChrisG : Can you confirm this and do you think a change in the wording of the documentation is appropriate?
‎Sep 13, 2021 07:17 AM - edited ‎Sep 13, 2021 07:18 AM